At the Open University I am course consultant on Computer Forensics and Investigations, M889 This is an introduction to forensic computing aimed at people employed in security, computer security or support, or as a first step to a career in computer forensics. I am the author of practical guide aimed at corporate security folk and lawyers. The Digital Evidence and Investigations Guide published by the Information Assurance Advisory Council. (This is a free download; the specific law in English but there are analogies for many other countries). And since 1985 I have had a commercial practice in which I advise lawyers and give court testimony about evidence from computers.
But there are also a number of interesting academic issues.
The most important roles of a digital forensics technician are to identify material of potential interest, acquire it safely so as to avoid contamination both to the item and to the system it came from, to preserve the material for repeated subsequent examinations and eventual presentation in court, to analyse the material and to produce reliable extracts in a form in which a court can consider it. In relation to regular documents, records, etc this is achieved by following generally recognised protocols and procedures, creating an audit trail of activities and generally being able to demonstrate continuity of evidence (chain of custody) explaining everything that has happened to the evidence from first discovery to production in court.
But a digital forensics technician can achieve much more than that. Careful research over the years, often using reverse engineering, has uncovered many artefacts on computer disks from which conclusions and inferences can be drawn. Deleted files can be wholly or partially recovered, timelines of activity created, web-browsing and file-sharing actions reconstructed. Evidence found may point explicitly to guilt/innocence or provide collateral support, or point to planning an intentions.
For an academic, in addition to the challenges of finding these artefacts, proving their consistent forensic value and perhaps writing tools to take advantage of them, there are a number of other issues:
Nature of Forensic Science Digital Forensics has grown up a some distance from its more traditional siblings; are there any fundamental differences? How do we cope with a rate of change unparalleled elsewhere? For example: good practice suggests newly discovered artefacts should be the subject of a peer-reviewed journal article, but that may not occur before the artefact becomes an issue in court.
Research methodologies, Tool testing Classic research technique suggests that you should run your tests in a “clean” environment, observe all the changes, and develop rules based on what you see. But in a running computer, what constitutes a “clean environment”? Does it depend on circumstances? All investigators use tools which they have not had the time themselves to test. What rules can we develop to reduce the problems this may cause?
Investigation Methodologies and Good Practice Much digital forensic training concentrates on the detail of examining artefacts. But now that hard-disks are so large it is no longer possible to examine everything. There have to be strategies which help prioritise - where to start, how to get an overview, how to assess the technical competence of the computer owner, which examinations to run in which order. How far can we provide a formalised discipline for these activities? A related issue is Triage - in large cases with seizure of multiple computers: which techniques and processes can be used to decide what to ignore? And how does this fit with obligations to the court and for disclosure to “the other side”?
Ethics The examination of a personal computer or eavesdropping on a communications stream is a highly intrusive activity from which the innocent need to be protected. The expert witness in court (see also below) can have extraordinary powers to persuade a court on a matter of which it has little knowledge and so away the outcome of a trial. What sorts of Codes of Ethics do we need, and how might they be enforced?
Role of Expert Witnesses “Expert” can mean “with specialist knowledge” or “permitted to offer opinion evidence to assist the court”. In the UK all experts have an over-riding duty to the court, irrespective who employs them. But this can create real difficulties for which most training does not adequately equip. Since the end of 2007 within the UK, the role of pre-trial meetings between experts to find points of agreement and so relieve the strain on the trial, have had a formal standing. But there is little practical guidance and training available. In April 2009 the Law Commission produced a consultation Report on the future of expert evidence. One suggestion is give a greater role to judges in deciding who can give evidence and how to cope with novel scientific evidence (in effect adopting a version of the US Daubert rules?
Certification, Registration of Practitioners Everyone thinks the route to excluding poor and misleading expert evidence is a registration scheme. But what is the optimal basis for assessment? How is it to be sponsored, and who pays the assessors (and how they are chosen)? I was involved with the CRFP scheme (which lost its Home Office funding in March 2009) and also currently advise the Forensic Science Regulator but I now believe that certification/assessment is only part of the story; expert competence should be more rigorously tested by opposing lawyers, and probably be an important part of a pre-trial review.